diff --git a/modules/Makefile b/modules/Makefile index 4c8932a..c3d27a0 100644 --- a/modules/Makefile +++ b/modules/Makefile @@ -46,7 +46,7 @@ deploy: "TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \ "IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \ "OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \ - "ARNPrefix=${PARAM_ARN_PREFIX}" + "Partition=${PARAM_PARTITION}" aws cloudformation deploy \ --stack-name $(STACK_NAME)-LogIngestion-EventBridge-$(PARAM_NAME_SUFFIX) \ --template-file log_ingestion.events.cft.yaml \ @@ -59,7 +59,7 @@ deploy: "TargetEventBusARN=$(PARAM_TARGET_EVENT_BUS_ARN)" \ "IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \ "OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \ - "ARNPrefix=${PARAM_ARN_PREFIX}" + "Partition=${PARAM_PARTITION}" aws cloudformation deploy \ --stack-name $(STACK_NAME)-LogIngestion-S3-$(PARAM_NAME_SUFFIX) \ --template-file log_ingestion.s3.cft.yaml \ diff --git a/modules/foundational.cft.yaml b/modules/foundational.cft.yaml index e29af98..2efc86b 100644 --- a/modules/foundational.cft.yaml +++ b/modules/foundational.cft.yaml @@ -11,7 +11,7 @@ Metadata: - TrustedIdentity - IsOrganizational - OrganizationalUnitIDs - - ARNPrefix + - Partition ParameterLabels: NameSuffix: default: Name Suffix @@ -23,8 +23,8 @@ Metadata: default: Is Organizational OrganizationalUnitIDs: default: Organizational Unit IDs - ARNPrefix: - default: ARN Prefix + Partition: + default: AWS Partition Parameters: NameSuffix: Type: String @@ -48,10 +48,10 @@ Parameters: OrganizationalUnitIDs: Type: CommaDelimitedList Description: Comma separated list of organizational unit IDs to deploy - ARNPrefix: + Partition: Type: String - Description: ARN prefix for the resources based on your account or organization partition - Default: 'arn:aws' + Description: AWS Partition of your account or organization to create resources in + Default: 'aws' Conditions: IsOrganizational: Fn::Equals: @@ -75,7 +75,7 @@ Resources: sts:ExternalId: Ref: ExternalID ManagedPolicyArns: - - !Sub ${ARNPrefix}:iam::aws:policy/SecurityAudit + - !Sub arn:${Partition}:iam::aws:policy/SecurityAudit Policies: - PolicyName: !Sub sysdig-secure-posture-${NameSuffix} PolicyDocument: @@ -89,8 +89,8 @@ Resources: - waf-regional:ListRules - waf-regional:ListRuleGroups Resource: - - !Sub ${ARNPrefix}:waf-regional:*:*:rule/* - - !Sub ${ARNPrefix}:waf-regional:*:*:rulegroup/* + - !Sub arn:${Partition}:waf-regional:*:*:rule/* + - !Sub arn:${Partition}:waf-regional:*:*:rulegroup/* - Effect: Allow Action: macie2:ListClassificationJobs Resource: '*' @@ -121,7 +121,7 @@ Resources: ManagedPolicyArns: Fn::If: - IsOrganizational - - - !Sub ${ARNPrefix}:iam::aws:policy/AWSOrganizationsReadOnlyAccess + - - !Sub arn:${Partition}:iam::aws:policy/AWSOrganizationsReadOnlyAccess - - !Ref AWS::NoValue Policies: - PolicyName: !Sub sysdig-secure-onboarding-${NameSuffix} @@ -161,9 +161,9 @@ Resources: - ParameterKey: ExternalID ParameterValue: Ref: ExternalID - - ParameterKey: ARNPrefix + - ParameterKey: Partition ParameterValue: - Ref: ARNPrefix + Ref: Partition StackInstancesGroup: - DeploymentTargets: OrganizationalUnitIds: !Ref OrganizationalUnitIDs @@ -185,9 +185,9 @@ Resources: ExternalID: Type: String Description: external ID - ARNPrefix: + Partition: Type: String - Description: ARN prefix for the resources based on your account or organization partition + Description: AWS Partition of your account or organization to create resources in Resources: ConfigPostureRole: @@ -205,7 +205,7 @@ Resources: StringEquals: sts:ExternalId: !Ref ExternalID ManagedPolicyArns: - - !Sub ${ARNPrefix}:iam::aws:policy/SecurityAudit + - !Sub arn:${Partition}:iam::aws:policy/SecurityAudit Policies: - PolicyName: !Sub sysdig-secure-posture-${NameSuffix} PolicyDocument: @@ -219,8 +219,8 @@ Resources: - "waf-regional:ListRules" - "waf-regional:ListRuleGroups" Resource: - - !Sub ${ARNPrefix}:waf-regional:*:*:rule/* - - !Sub ${ARNPrefix}:waf-regional:*:*:rulegroup/* + - !Sub arn:${Partition}:waf-regional:*:*:rule/* + - !Sub arn:${Partition}:waf-regional:*:*:rulegroup/* - Effect: "Allow" Action: "macie2:ListClassificationJobs" Resource: "*" diff --git a/modules/log_ingestion.events.cft.yaml b/modules/log_ingestion.events.cft.yaml index 82b1616..d2aef97 100644 --- a/modules/log_ingestion.events.cft.yaml +++ b/modules/log_ingestion.events.cft.yaml @@ -15,7 +15,7 @@ Metadata: - RuleEventPattern - IsOrganizational - OrganizationalUnitIDs - - ARNPrefix + - Partition ParameterLabels: NameSuffix: default: Name Suffix @@ -35,8 +35,8 @@ Metadata: default: Is Organizational OrganizationalUnitIDs: default: Organizational Unit IDs - ARNPrefix: - default: ARN Prefix + Partition: + default: AWS Partition Parameters: NameSuffix: Type: String @@ -96,10 +96,10 @@ Parameters: AllowedValues: - 'true' - 'false' - ARNPrefix: + Partition: Type: String - Description: ARN prefix for the resources based on your account or organization partition - Default: 'arn:aws' + Description: AWS Partition of your account or organization to create resources in + Default: 'aws' Conditions: IsOrganizational: Fn::Equals: @@ -127,7 +127,7 @@ Resources: Action: - sts:AssumeRole Resource: - - !Sub ${ARNPrefix}:iam:::role/sysdig-secure-events-stackset-execution-${NameSuffix} + - !Sub arn:${Partition}:iam:::role/sysdig-secure-events-stackset-execution-${NameSuffix} ExecutionRole: Type: AWS::IAM::Role Properties: @@ -142,8 +142,8 @@ Resources: Action: - sts:AssumeRole ManagedPolicyArns: - - !Sub ${ARNPrefix}:iam::aws:policy/AmazonEventBridgeFullAccess - - !Sub ${ARNPrefix}:iam::aws:policy/AWSCloudFormationFullAccess + - !Sub arn:${Partition}:iam::aws:policy/AmazonEventBridgeFullAccess + - !Sub arn:${Partition}:iam::aws:policy/AWSCloudFormationFullAccess EventBridgeRole: Type: AWS::IAM::Role Properties: @@ -175,7 +175,7 @@ Resources: - "events:DescribeRule" - "events:ListTargetsByRule" Resource: - - !Sub ${ARNPrefix}:events:*:*:rule/sysdig-secure-events-${NameSuffix} + - !Sub arn:${Partition}:events:*:*:rule/sysdig-secure-events-${NameSuffix} EventBridgeRuleStackSet: Type: AWS::CloudFormation::StackSet Metadata: @@ -211,8 +211,8 @@ Resources: ParameterValue: !Ref RuleState - ParameterKey: RuleEventPattern ParameterValue: !Ref RuleEventPattern - - ParameterKey: ARNPrefix - ParameterValue: !Ref ARNPrefix + - ParameterKey: Partition + ParameterValue: !Ref Partition StackInstancesGroup: - DeploymentTargets: Accounts: @@ -239,9 +239,9 @@ Resources: RuleEventPattern: Type: String Description: JSON pattern for the EventBridge rule's event pattern - ARNPrefix: + Partition: Type: String - Description: ARN prefix for the resources based on your account or organization partition + Description: AWS Partition of your account or organization to create resources in Resources: EventBridgeRule: Type: "AWS::Events::Rule" @@ -253,7 +253,7 @@ Resources: Targets: - Id: !Ref Name Arn: !Sub ${TargetEventBusARN} - RoleArn: !Sub ${ARNPrefix}:iam::${AWS::AccountId}:role/${Name} + RoleArn: !Sub arn:${Partition}:iam::${AWS::AccountId}:role/${Name} OrganizationRoleStackSet: Type: AWS::CloudFormation::StackSet Condition: IsOrganizational @@ -281,8 +281,8 @@ Resources: ParameterValue: !Ref ExternalID - ParameterKey: TargetEventBusARN ParameterValue: !Ref TargetEventBusARN - - ParameterKey: ARNPrefix - ParameterValue: !Ref ARNPrefix + - ParameterKey: Partition + ParameterValue: !Ref Partition StackInstancesGroup: - DeploymentTargets: OrganizationalUnitIds: !Ref OrganizationalUnitIDs @@ -303,9 +303,9 @@ Resources: TargetEventBusARN: Type: String Description: The destination in Sysdig's AWS account where your events are sent - ARNPrefix: + Partition: Type: String - Description: ARN prefix for the resources based on your account or organization partition + Description: AWS Partition of your account or organization to create resources in Resources: EventBridgeRole: Type: AWS::IAM::Role @@ -338,7 +338,7 @@ Resources: - "events:DescribeRule" - "events:ListTargetsByRule" Resource: - - !Sub ${ARNPrefix}:events:*:*:rule/${Name} + - !Sub arn:${Partition}:events:*:*:rule/${Name} OrganizationRuleStackSet: Type: AWS::CloudFormation::StackSet Condition: IsOrganizational @@ -369,8 +369,8 @@ Resources: ParameterValue: !Ref RuleState - ParameterKey: RuleEventPattern ParameterValue: !Ref RuleEventPattern - - ParameterKey: ARNPrefix - ParameterValue: !Ref ARNPrefix + - ParameterKey: Partition + ParameterValue: !Ref Partition StackInstancesGroup: - DeploymentTargets: OrganizationalUnitIds: !Ref OrganizationalUnitIDs @@ -396,9 +396,9 @@ Resources: RuleEventPattern: Type: String Description: JSON pattern for the EventBridge rule's event pattern - ARNPrefix: + Partition: Type: String - Description: ARN prefix for the resources based on your account or organization partition + Description: AWS Partition of your account or organization to create resources in Resources: EventBridgeRule: Type: "AWS::Events::Rule" @@ -410,7 +410,7 @@ Resources: Targets: - Id: !Ref Name Arn: !Ref TargetEventBusARN - RoleArn: !Sub "${ARNPrefix}:iam::${AWS::AccountId}:role/${Name}" + RoleArn: !Sub "arn:${Partition}:iam::${AWS::AccountId}:role/${Name}" Outputs: EventBridgeRoleARN: Description: Sysdig Secure EventBridge Role ARN